Meta

Month: January 2017

“Yay! Going to the beach is brilliant! Let me get me get my…..woooahh, hang on. Going to the beach can be dangerous. Because there are”…..[insert risk here]

What did you say? Was it ‘sharks’? Course it was. The beach is dangerous because of sharks.

Bollocks.

There ain’t no sharks at the beach. If you live in the UK, there has never, ever, ever been a person eaten by a shark. Ever. Apparently back in 1937 a boat was capsized and three people died, but really, you’re more likely to get killed by picking your nose.

So why do we think about sharks when we consider beach risk? Well mostly, because humans are utterly useless at assessing risk. For the most part we have absolutely no idea how to look at risk and determine how bad it is and what the best way of mitigating it is. (We’re very big fans of risk transference but more on that later) Because we’re all a bit thick, to be quite frank.

Well, that’s a little unfair. There’s some externals. Mostly made up of other humans. But generally, we’re thick.

Humans are also useless at assessing risk in the other direction. Here’s a risk I see a lot (I work in Information Security).

Phishing emails. Insanely common, mainly because we’re terrible at assessing risks. They work so well because humans just love clicking on those links. They don’t stop to think, they don’t consider the long education programs they’ve been subjected to. They don’t recall the phishing tests they see regularly from their *brilliant* information security team. Nope, they just click. I can absolutely guarantee I will get at least a 5% success rate with any phishing campaign I fire at an organisation. Absolutely guarantee it. And I only need one click for the campaign to be a success.

It works because links look so common, so anti-climatic, so inert that some people will never believe they are dangerous when the reality is they can be incredibly, devastatingly dangerous. (Phishing emails now the most common initial attack vector for all successful breaches, by far). That’s a whole different discussion but these attacks can and do cost companies hundreds of millions of pounds and it all begins with a single, thoughtless click.

Where else are humans rubbish at assessing risk? Out on the roads? Yes, I expect we are.

Ask your average person in the street about road safety and they’ll almost certainly mention cyclists, either as victims or perps of road violence. As I said, thick. Cyclists are hugely benign as a source of road violence, comparatively but they’re a different group for most people so othering takes over. As for victims of road violence, cyclists certainly take a bit of a beating (sic) compared to say, car occupants, but it’s still an incredibly safe form of transport and no more dangerous than walking about the place.

What’s massively more dangerous than cycling, is *not* cycling. You won’t find any car company telling you that.

There are a whole stream of epidemics hitting this country. Pollution, obesity, heart disease, all killers, but you can guarantee these average people in the street won’t consider these risks when carrying out their own assessments because they’re not obvious.

The dangers of cycling aren’t obvious either, are they?

Oh…. You see, people *think* cycling is dangerous because they’re told it’s dangerous by a whole assortment of poorly informed, poorly intentioned organisations some of whom have plenty of skin in the game of making it look so (car companies are top of the list). The media quite happily buy into this by running near constant campaigns lambasting cyclists whilst ignoring their ‘most read’ sub-headings covering yet another killer driver.

Because nothing generates hits like ‘Cyclist’ on their front page. It’s like shouting ‘Shark’ at the beach.

There are no sharks at the beach.

Risk assessment demands a good level of common sense, don’t let the nonsense people feed you take yours away.